A couple of weeks ago we posted on here about Android manufacturers unable to patch devices in a timely fashion, and HTC being unable to commit to Google’s monthly update pledge. This was for a number of reasons, including the costs in developing security patches fast enough to release on that aggressive timeline. To put another argument forward to push the vendors, Cambridge University has reported that 88 percent of Android devices could be at risk and they suggest a security grading system to monitor the manufacturers. Due to the open nature of Android, the operating system has grown to exceptional heights but it can be argued this has not been controlled where it comes to protecting the user. The University has claimed that the devices have been supplied without a proper security protection mechanism against the latest threats and attacks. This brings the Android business model into question.
The report, from Cambridge Computer Laboratory researchers Daniel R Thomas, Alastair R Beresford, and Andrew Rice, estimates that 87.7 percent of devices contained at least one major vulnerability that could leave handsets at risk, as many users can expect just one update a year. This year alone, we have seen lots of noise around “Stagefright” and “Certifi-Gate“, which were found to affect most Android devices straight out of the box.
Google, the founders and developers of Android have not been targeted in the report. The manufacturers have been blamed for slow releases for the updates. Core Google devices like the Nexus range received the most praise for quick turnarounds on patches and updates in terms of the LG (and Motorola) made Nexus devices.
“The security of Android depends on the timely delivery of updates to x critical vulnerabilities,” the report concluded. “Unfortunately few devices receive prompt updates, with an overall average of 1.26 updates per year, leaving devices un-patched for long periods.”
We showed that the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to x critical vulnerabilities. This arises in part because the market for Android security today is like the market for lemons: there is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive updates, and the consumer, who does not.
Consequently there is little incentive for manufacturers to provide updates.”
The university now propose giving “grades” to Android manufacturers based on their performance in pushing out patches and updates. This means users and regulators can monitor the progress of each individual manufacturer.
Source: Cambridge University